CVE-2023-20273

CVE-2023-20273 is a high-severity zero-day vulnerability disclosed by Cisco on October 21, 2023. This flaw in software design or implementation was actively exploited to deploy malicious implants on IOS XE devices. The exploitation of this vulnerability was discovered during the investigation of another zero-day (CVE-2023-20198), which had been revealed earlier in the same week. The exploit method for CVE-2023-20273 involves a second zero-day vulnerability, which was only discovered while investigating the initial one. This secondary vulnerability allows the attacker to elevate their privileges to root and write an implant on the file system. Instead of exploiting the first zero-day directly, attackers leveraged this second zero-day within another component of the WebUI feature to run the malicious implant. In summary, the attackers exploited two zero-day vulnerabilities (CVE-2023-20273 and CVE-2023-20198) to compromise IOS XE devices. These attacks involved privilege escalation and writing a malicious implant on the file system. As these vulnerabilities are being actively exploited, it's crucial for organizations to apply patches as soon as they become available to mitigate the risk of further attacks.